Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Another Day, Another Firefox Security Fix

Once upon a time, Firefox was known for being far less prone to security bugs than Internet Explorer. Things have changed.

On Nov. 27, Mozilla released the newest, security-patched version of the popular Web browser, Firefox 2.0.0.10.

The vast majority of Firefox users will have the latest and greatest automatically installed on their systems. This latest update includes fixes for three security bugs.

Perhaps the most important of these fixes is one that prevents an XSS (Cross-Site Scripting) attack. This particular XSS fix prevents the "jar: URI" hazard, which is a mechanism that had been designed to support digitally signed Web pages.

This in turn enabled Web administrators to set up sites that could load pages that had been packaged in .zip archives containing signatures in Java archive format. The problem was that Firefox couldnt identify the true source of the jar: content.

Heres how it might work in practice. Many Web 2.0 applications allow the upload of jar/.zip files. For example, Web mail clients, collaboration systems and document sharing systems all allow such uploads. You see such popular document formats as OpenWriters .odt (OpenDocument Text) and Microsoft Office 2007 Open XML use the .zip format to space.

Youre probably beginning to see where this goes. All an attacker need do is create a document in one of those formats, change its extension to .zip and, ta-da, instant Trojan horse.